[webkit-dev] innerStaticHTML

Maciej Stachowiak mjs at apple.com
Wed Nov 25 12:30:58 PST 2009

On Nov 25, 2009, at 6:05 AM, Adam Barth wrote:

> On Tue, Nov 24, 2009 at 11:21 PM, Maciej Stachowiak <mjs at apple.com>  
> wrote:
>> If we tie it to an element or attribute, people may be tempted to  
>> just do it
>> in markup, which would be insecure.
> Maybe we should have a DOM API called
> webkitJailChildren("no-script-for-you") on Node that prevents future
> children from running script.  Making it a DOM API prevents authors
> from trying to turn the feature on with markup.

Interesting idea. This seems potentially trickier to implement than  
just innerStaticHTML, since nearly every method that mutates the DOM  
will have to check jail status. innerStaticHTML could be limited in  
scope to only operations that happen as part of parsing.

> On Tue, Nov 24, 2009 at 11:27 PM, Michal Zalewski  
> <lcamtuf at google.com> wrote:
>> <span secure_mode="$random_server_generated_nonce">
>> ...unsanitized user content...
>> </span secure_mode="$random_server_generated_nonce">
> I'd rather not go this route in our initial implementation.  I think
> we should target the use case of a web site receiving an untrusted
> string via cross-origin XMLHttpRequest or postMessage.

One obvious likely use case is for sites that wish to sanitize user- 
generated content, for example comment sections of blogs.  
innerStaticHTML is actually decent for that use case. Not quite as  
nice as markup, but I'm wary of introducing parser complexity to  
defend against hostile content that tries to prematurely close the jail.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20091125/ea8b193f/attachment.html>

More information about the webkit-dev mailing list